Getting Information Security Training Right
December 17, 2008
Anybody who has talked to me in the past few years knows that one of the things that I’m most passionate about is evolving one’s career. Whether it’s the work I do with career coaching, my talks and research with Lee Kushner on infosec careers, or just my blog posts here, it’s a favorite topic of mine.
The topic of certifications go hand in hand with career management – in fact, when Lee and I talk, one of our slides lists “What certification should I get?” as our “least favorite question“. Because we get it every time we talk to anybody.
One of the other things I’ve been doing of late is teaching classes to help people become more effective penetration testers. Penetration testing is where I started my career, and I really enjoy helping people learn those skills and develop that part of their capabilities. So, for the first few months after I left Neohapsis, I was working with one of the more well-known training organizations, and I expected to be able to make a difference.
Unfortunately, my expectations were underwhelmed. Where the organization promised “deluxe acommodations” for their students, we were booked at the Quality Inn. Where they promised “cutting-edge techniques”, they got information and exercises that were 5 years old.
Anybody who has worked with me knows I’m a bit of a stickler for doing right by my clients. And this wasn’t right. And I was frustrated because, despite my emails to the leadership of the organization, I was seeing no improvement.
So, I was sharing this frustration with my associates over at Foreground Security (who also run The Hacker Academy. And they agreed with me. But they did it one better: they challenged me. Dave and Aaron said:
“Can you do better?”
When I told them I could, they threw down the gauntlet.
“Give it a shot. What would it need?”
After a few conversations, we came up with a few different things. First and foremost, the curriculum needs to be up to date. No more teaching stuff that is five years old and calling it “state of the art”. Exercises should be consistent with what Foreground’s team of pen-testers are seeing on real engagements on a daily basis. If tools/exploits/techniques stop being relevant, then we teach their replacements.
Second: the curriculum needs to be KEPT up to date. And so do the students. And the students need access to a quarterly update of all the things that are new. No more of the “get ‘em out the door” way of doing things – let’s ensure that every student who goes through this class is given access to continuing information that will let them stay current.
Third: Let’s give them real facilities with solid, repeatable technology and processes. And it shouldn’t matter whether they take a class from us in Orlando, DC, San Francisco or Switzerland, the experience should be the same.
And, finally: Instructors should be trained to give the same material in the same way each time.
In short, we’ll run it like a business. And we’ll treat our students the way that they deserve to be treated.
Well, Dave and Aaron liked that so much that they told me to go for it. And they put out a press release about it. Our first class with the new curriculum I’m designing is going to be in mid-January, in Orlando. Because, really… who wants to be anywhere but Florida in January?
Email me if you have questions. Or email Aaron Cohen to find out the logistics, price, signup, etc.
Comments
5 Responses to “Getting Information Security Training Right”
Got something to say?
So what differntiates this training from other training on the market? Is it just CEH with current tools? I have been looking for good training but have heard less than positive comments about CEH training. Other than SANS GIAC certifications, I have not found a good alternative which helps me as a hiring manager differentiate between those who can and those who can pass a test.
I have also seen what you describe – a misrepresentation of dated techniques as being cutting-edge, state of the art, etc. A reliance upon the sexiness of “hacking” and a continued re-hash of obsolete, or nearly obsolete techniques. I think these techniques and older OS’s have value in getting a person introduced to the subject matter, but the material should move past that into what’s current. This might be tricky for a trainer however as some techniques, especially deep system level techniques such a heap overflows, are not intuitive and require training. How to keep the quality of training high while still leaving the door open to enough clients to make it worthwhile? And do you mean training whereby people learn the guts of the issues, or another tool-centric pentesting type of cert, or perhaps some new fresh approach? I’ve not taken the CEH, but I’ve taken “advanced ethical hacking” and obtained the CEPT cert, which they tout highly. I suggest that the CEPT is an (mostly) an introduction to the hands-on aspects of memory corruption bugs and their exploitation techniques plus some other hands-on tools and basic RE. But to say that one “knows pentesting backward and forwards” is a bit of a stretch; why don’t these organizations just express the truth about these training programs? Not every training program needs to be super-l33t or “advanced” but it seems common to prefix any security training with “advanced” especially at the Black Hat trainings. It’s all relative, but some of what I’ve seen so far does NOT keep you up to date, except perhaps some SANS courses that require you to refresh the cert after a few years. I’ve not had the fortune to take an endless amount of training, so my perspective is somewhat limited, but your article seems relevant. Thanks
After I wrote my response, I realized that I am blurring “security researcher” and “penetration tester” roles a bit. I see overlap between them, but I suppose it’s not really fair to mash these together. Security research feeds penetration testing though, and it’s mighty interesting. eot.
Is this going to integrate the OWASP OPCP (Open Q/A)?
Is it going to integrate the OSSTMM 3.0 concepts? I’m not just talking about the STAR, but the whole “auditing the auditors” or “assessing the assessors” concepts?
How about provide a meaningful certification such as a PE (Professional Engineering) accredidation that would indicate that an individual could be sued by an organization for reducing operational security (or exposing/causing undue risk or damage)?
Just “updating” training is 2004 tactics.
[...] is getting involved it what appears to be a great new effort in training for penetration testers. Getting Information Security Training Right | Episteme Tags: ( training pentesting [...]